updated 04:18 pm EDT, Tue July 22, 2014
Company says no breach confirmed, but continuing investigation with authorities
Goodwill Industries International, the business entity behind the popular nonprofit second-hand stores, announced this week that it is investigating a potential data breach involving credit card data. The breach was said to occur in selected stores within the United States, but Goodwill has offered no information on which stores were affected.
According to a statement from Goodwill, the company was contacted on Friday by federal authorities and a credit card fraud investigative unit that a number of stores may have been involved in a data theft. The statement mentions that Goodwill is working with authorities and industry contacts to review all of the information.
"At this point, no breach has been confirmed, but an investigation is underway," said the statement. "Goodwills across the country take the data of consumers seriously and their community well-being is our number one concern."
As the company looks into the breach, Goodwill spokeswoman Joye Taylor told CNN that an assembled team worked through the weekend to look into validity of the information. She confirmed that the company was working specifically with the United States Secret Service on the case. The government agency has had its hands busy since 2013 tracking other data breach activity including breaches at Target and Michaels craft stores.
"We are proactively engaged with the payment card industry contacts, the Secret Service and all Goodwill headquarters to identify what problem, if any, exists so that we can take prompt and appropriate actions as well as communicate appropriately to any affected parties," said Taylor.
Brian Krebs, of Krebs on Security, first reported on the possible breach, adding that it's unknown at this time how long ago the breach started. However, Krebs adds that the sources that informed him of the breach state that it "could extend back to the middle of 2013."
Krebs claims that insiders indicated that "multiple locations" are involved in the breach across numerous states. Insiders told Krebs that the breach could be across as many as 21 states, "including Arkansas, California, Colorado, Florida, Georgia, Iowa, Illinois, Louisiana, Maryland, Minnesota, Mississippi, Missouri, New Jersey, Ohio, Oklahoma, Pennsylvania, South Carolina, Texas, Virginia, Washington and Wisconsin."
If the suspected data breach is found to have resulted in the theft of customers' credit cards, it will mark the sixth major chain hit in recent history. P.F. Chang's, the most recent breach involving credit cards, still hasn't released major details on its case.